CVE-2024-12084
Publication date 9 January 2025
Last updated 23 January 2025
Ubuntu priority
A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.
Read the notes from the security team
Why is this CVE high priority?
Possible remote code execution or denial of service
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rsync | 24.10 oracular |
Vulnerable
|
| 24.04 LTS noble |
Fixed 3.2.7-1ubuntu1.1
|
|
| 22.04 LTS jammy |
Fixed 3.2.7-0ubuntu0.22.04.3
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
alexmurray
affects rsync since 3.2.7 as was introduced in upstream commit ae16850dc58e884eb9f5cb7f772342b2db28f471
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7206-1
- rsync vulnerabilities
- 14 January 2025